saml_idp 0.0.1

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    YmY2NmYwOWVjNjFlNDcxMDg3MGEyNDRmN2ZlNTM3MDk2MWNiOWVjYg==
+  data.tar.gz: !binary |-
+    ODQ2MDYxY2VjNWRmNjc1MzUwY2FjZmFmMGQyNTY5NDMxNWU1YTU2NA==
+!binary "U0hBNTEy":
+  metadata.gz: !binary |-
+    MDFkYjUwMjRkZmIxMThmOWFkZmQxYjFmYzc0YjFlOGY0MGYxM2E1NzVlMzAy
+    NzY2MzE1N2NhYjY1MWE0N2MxM2I1YTI0MjViZjAzMzk3ZjZiNGYzOTA2MmJj
+    NTFmMmI3ZmE4YzQwMzg0OGJkNmQwMzUyZTFmZDk4MmNiM2MyNmQ=
+  data.tar.gz: !binary |-
+    NTEyMzQxNWEzYzA5ZGJhNDk3MTk2ZDZlMmZlYmQzYmU3OGU0NWI2ZjVlMDcy
+    NzMxOTYxYjJiMjEzMTk5YmQyOTg3NDRmNWUxOGZjOGE0MDFjNjM5OGMzNmYy
+    NjUzNTZkMWI1M2U4NGE0ZjIzNWFiMzM1MWJiYjAxYTZiOGIyZjc=

data/Gemfile

@@ -0,0 +1,2 @@
+source "http://rubygems.org"
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Sport Ngin (http://sportngin.com)
+Portions Copyright (c) 2010 OneLogin, LLC
+Portions Copyright (c) 2012 Lawrence Pit (http://lawrencepit.com)
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,197 @@
+# Ruby SAML Identity Provider (IdP)
+Forked from https://github.com/lawrencepit/ruby-saml-idp
+
+[![Build Status](https://travis-ci.org/sportngin/saml_idp.png)](https://travis-ci.org/sportngin/saml_idp)
+
+The ruby SAML Identity Provider library is for implementing the server side of SAML authentication. It allows
+your application to act as an IdP (Identity Provider) using the
+[SAML v2.0](http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language)
+protocol. It provides a means for managing authentication requests and confirmation responses for SPs (Service Providers).
+
+This was originally setup by @lawrencepit to test SAML Clients. I took it closer to a real
+SAML IDP implementation.
+
+# Installation and Usage
+
+Add this to your Gemfile:
+
+    gem 'saml_idp'
+
+## Not using rails?
+Include `SamlIdp::Controller` and see the examples that use rails. It should be straightforward for you.
+
+Basically you call `decode_request(params[:SAMLRequest])` on an incoming request and then use the value
+`saml_acs_url` to determine the source for which you need to authenticate a user. How you authenticate
+a user is entirely up to you.
+
+Once a user has successfully authenticated on your system send the Service Provider a SAMLReponse by
+posting to `saml_acs_url` the parameter `SAMLResponse` with the return value from a call to
+`encode_response(user_email)`.
+
+## Using rails?
+Add to your `routes.rb` file, for example:
+
+``` ruby
+get '/saml/auth' => 'saml_idp#new'
+get '/saml/metadata' => 'saml_idp#show'
+post '/saml/auth' => 'saml_idp#create'
+```
+
+Create a controller that looks like this, customize to your own situation:
+
+``` ruby
+class SamlIdpController < SamlIdp::IdpController
+  def idp_authenticate(email, password) # not using params intentionally
+    user = User.by_email(email).first
+    user && user.valid_password?(password) ? user : nil
+  end
+  private :idp_authenticate
+
+  def idp_make_saml_response(found_user) # not using params intentionally
+    encode_response found_user
+  end
+  private :idp_make_saml_response
+end
+```
+
+## Configuration
+
+Be sure to load a file like this during your app initialization:
+
+```ruby
+SamlIdp.configure do |config|
+  base = "http://example.com"
+
+  config.x509_certificate = <<-CERT
+-----BEGIN CERTIFICATE-----
+CERTIFICATE DATA
+-----END CERTIFICATE-----
+CERT
+
+  config.secret_key = <<-CERT
+-----BEGIN RSA PRIVATE KEY-----
+KEY DATA
+-----END RSA PRIVATE KEY-----
+CERT
+
+  # config.algorithm = :sha256
+  # config.organization_name = "Your Organization"
+  # config.organization_url = "http://example.com"
+  # config.base_saml_location = "#{base}/saml"
+  # config.reference_id_generator                   # Default: -> { UUID.generate }
+  # config.attribute_service_location = "#{base}/saml/attributes"
+  # config.single_service_post_location = "#{base}/saml/auth"
+
+  # Principal is passed in when you `encode_response`
+  #
+  # config.name_id_formats # =>
+  #   {                         # All 2.0
+  #     email_address: -> (principal) { principal.email_address },
+  #     transient: -> (principal) { principal.id },
+  #     persistent: -> (p) { p.id },
+  #   }
+  #   OR
+  #
+  #   {
+  #     "1.1" => {
+  #       email_address: -> (principal) { principal.email_address },
+  #     },
+  #     "2.0" => {
+  #       transient: -> (principal) { principal.email_address },
+  #       persistent: -> (p) { p.id },
+  #     },
+  #   }
+
+  # config.attributes # =>
+  #   {
+  #     <friendly_name> => {                                                  # required (ex "eduPersonAffiliation")
+  #       "name" => <attrname>                                                # required (ex "urn:oid:1.3.6.1.4.1.5923.1.1.1.1")
+  #       "name_format" => "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", # not required
+  #       "getter" => ->(principal) {                                         # not required
+  #         principal.get_eduPersonAffiliation                                # If no "getter" defined, will try
+  #       }                                                                   # `principal.eduPersonAffiliation`, or no values will
+  #    }                                                                      # be output
+  #
+  ## EXAMPLE ##
+  # config.attributes = {
+  #   GivenName: {
+  #     getter: :first_name,
+  #   },
+  #   SurName: {
+  #     getter: :last_name,
+  #   },
+  # }
+  ## EXAMPLE ##
+
+  # config.technical_contact.company = "Example"
+  # config.technical_contact.given_name = "Jonny"
+  # config.technical_contact.sur_name = "Support"
+  # config.technical_contact.telephone = "55555555555"
+  # config.technical_contact.email_address = "example@example.com"
+
+  service_providers = {
+    "some-issuer-url.com/saml" => {
+      fingerprint: "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D",
+      metadata_url: "http://some-issuer-url.com/saml/metadata"
+    },
+  }
+
+  # `identifier` is the entity_id or issuer of the Service Provider,
+  # settings is an IncomingMetadata object which has a to_h method that needs to be persisted
+  config.service_provider.metadata_persister = ->(identifier, settings) {
+    fname = identifier.to_s.gsub(/\/|:/,"_")
+    `mkdir -p #{Rails.root.join("cache/saml/metadata")}`
+    File.open Rails.root.join("cache/saml/metadata/#{fname}"), "r+b" do |f|
+      Marshal.dump settings.to_h, f
+    end
+  }
+
+  # `identifier` is the entity_id or issuer of the Service Provider,
+  # `service_provider` is a ServiceProvider object. Based on the `identifier` or the
+  # `service_provider` you should return the settings.to_h from above
+  config.service_provider.persisted_metadata_getter = ->(identifier, service_provider){
+    fname = identifier.to_s.gsub(/\/|:/,"_")
+    `mkdir -p #{Rails.root.join("cache/saml/metadata")}`
+    File.open Rails.root.join("cache/saml/metadata/#{fname}"), "rb" do |f|
+      Marshal.load f
+    end
+  }
+
+  # Find ServiceProvider metadata_url and fingerprint based on our settings
+  config.service_provider.finder = ->(issuer_or_entity_id) do
+    service_providers[issuer_or_entity_id]
+  end
+end
+```
+
+# Keys and Secrets
+To generate the SAML Response it uses a default X.509 certificate and secret key... which isn't so secret.
+You can find them in `SamlIdp::Default`. The X.509 certificate is valid until year 2032.
+Obviously you shouldn't use these if you intend to use this in production environments. In that case,
+within the controller set the properties `x509_certificate` and `secret_key` using a `prepend_before_filter`
+callback within the current request context or set them globally via the `SamlIdp.config.x509_certificate`
+and `SamlIdp.config.secret_key` properties.
+
+The fingerprint to use, if you use the default X.509 certificate of this gem, is:
+
+```
+9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D
+```
+
+
+# Service Providers
+To act as a Service Provider which generates SAML Requests and can react to SAML Responses use the
+excellent [ruby-saml](https://github.com/onelogin/ruby-saml) gem.
+
+
+# Author
+Jon Phenow, jon.phenow@sportngin.com
+
+Lawrence Pit, lawrence.pit@gmail.com, lawrencepit.com, @lawrencepit
+
+# Copyright
+Copyright (c) 2012 Sport Ngin.
+Portions Copyright (c) 2010 OneLogin, LLC
+Portions Copyright (c) 2012 Lawrence Pit (http://lawrencepit.com)
+
+See LICENSE for details.

data/app/controllers/saml_idp/idp_controller.rb

@@ -0,0 +1,42 @@
+# encoding: utf-8
+module SamlIdp
+  class IdpController < ActionController::Base
+    include SamlIdp::Controller
+
+    unloadable
+    protect_from_forgery
+    before_filter :validate_saml_request, only: [:new, :create]
+
+    def new
+      render template: "saml_idp/idp/new"
+    end
+
+    def show
+      render xml: SamlIdp.metadata.signed
+    end
+
+    def create
+      unless params[:email].blank? && params[:password].blank?
+        person = idp_authenticate(params[:email], params[:password])
+        if person.nil?
+          @saml_idp_fail_msg = "Incorrect email or password."
+        else
+          @saml_response = idp_make_saml_response(person)
+          render :template => "saml_idp/idp/saml_post", :layout => false
+          return
+        end
+      end
+      render :template => "saml_idp/idp/new"
+    end
+
+    def idp_authenticate(email, password)
+      raise NotImplementedError
+    end
+    protected :idp_authenticate
+
+    def idp_make_saml_response(person)
+      raise NotImplementedError
+    end
+    protected :idp_make_saml_response
+  end
+end

data/app/views/saml_idp/idp/new.html.erb

@@ -0,0 +1,21 @@
+<% if @saml_idp_fail_msg %>
+  <div id="saml_idp_fail_msg" class="flash error"><%= @saml_idp_fail_msg %></div>
+<% end %>
+
+<%= form_tag do %>
+  <%= hidden_field_tag("SAMLRequest", params[:SAMLRequest]) %>
+
+  <p>
+    <%= label_tag :email %>
+    <%= email_field_tag :email, params[:email], :autocapitalize => "off", :autocorrect => "off", :autofocus => "autofocus", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>
+  </p>
+
+  <p>
+    <%= label_tag :password %>
+    <%= password_field_tag :password, params[:password], :autocapitalize => "off", :autocorrect => "off", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>
+  </p>
+
+  <p>
+    <%= submit_tag "Sign in", :class => "button big blueish" %>
+  </p>
+<% end %>

data/app/views/saml_idp/idp/saml_post.html.erb

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+  </head>
+  <body onload="document.forms[0].submit();" style="visibility:hidden;">
+    <%= form_tag(saml_acs_url) do %>
+      <%= hidden_field_tag("SAMLResponse", @saml_response) %>
+      <%= submit_tag "Submit" %>
+    <% end %>
+  </body>
+</html>

data/lib/saml_idp.rb

@@ -0,0 +1,92 @@
+# encoding: utf-8
+module SamlIdp
+  require 'active_support/all'
+  require 'saml_idp/saml_response'
+  require 'saml_idp/xml_security'
+  require 'saml_idp/configurator'
+  require 'saml_idp/controller'
+  require 'saml_idp/default'
+  require 'saml_idp/metadata_builder'
+  require 'saml_idp/version'
+  require 'saml_idp/engine' if defined?(::Rails) && Rails::VERSION::MAJOR > 2
+
+  def self.config
+    @config ||= SamlIdp::Configurator.new
+  end
+
+  def self.configure
+    yield config
+  end
+
+  def self.metadata
+    @metadata ||= MetadataBuilder.new(config)
+  end
+end
+
+# TODO Needs extraction out
+module Saml
+  module XML
+    module Namespaces
+      METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      SIGNATURE = "http://www.w3.org/2000/09/xmldsig#"
+      PROTOCOL = "urn:oasis:names:tc:SAML:2.0:protocol"
+
+      module Statuses
+        SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"
+      end
+
+      module Consents
+        UNSPECIFIED = "urn:oasis:names:tc:SAML:2.0:consent:unspecified"
+      end
+
+      module AuthnContext
+        module ClassRef
+          PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+          PASSWORD_PROTECTED = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+        end
+      end
+
+      module Methods
+        BEARER = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+      end
+
+      module Formats
+        module Attr
+          URI = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+        end
+
+        module NameId
+          EMAIL_ADDRESS = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+          TRANSIENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+          PERSISTENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+        end
+      end
+    end
+
+    class Document < Nokogiri::XML::Document
+      def signed?
+        !!xpath("//ds:Signature", ds: signature_namespace).first
+      end
+
+      def valid_signature?(fingerprint)
+        signed? &&
+          signed_document.validate(fingerprint, :soft)
+      end
+
+      def signed_document
+        XMLSecurity::SignedDocument.new(to_xml)
+      end
+
+      def signature_namespace
+        Namespaces::SIGNATURE
+      end
+
+      def to_xml
+        super(
+          save_with: Nokogiri::XML::Node::SaveOptions::AS_XML | Nokogiri::XML::Node::SaveOptions::NO_DECLARATION
+        ).strip
+      end
+    end
+  end
+end

data/lib/saml_idp/algorithmable.rb

@@ -0,0 +1,19 @@
+module SamlIdp
+  module Algorithmable
+    def algorithm
+      algorithm_check = raw_algorithm || SamlIdp.config.algorithm
+      return algorithm_check if algorithm_check.respond_to?(:digest)
+      begin
+        OpenSSL::Digest.const_get(algorithm_check.to_s.upcase)
+      rescue NameError
+        OpenSSL::Digest::SHA1
+      end
+    end
+    private :algorithm
+
+    def algorithm_name
+      algorithm.to_s.split('::').last.downcase
+    end
+    private :algorithm_name
+  end
+end

data/lib/saml_idp/assertion_builder.rb

@@ -0,0 +1,144 @@
+require 'builder'
+require 'saml_idp/algorithmable'
+require 'saml_idp/signable'
+module SamlIdp
+  class AssertionBuilder
+    include Algorithmable
+    include Signable
+    attr_accessor :reference_id
+    attr_accessor :issuer_uri
+    attr_accessor :principal
+    attr_accessor :audience_uri
+    attr_accessor :saml_request_id
+    attr_accessor :saml_acs_url
+    attr_accessor :raw_algorithm
+
+    delegate :config, to: :SamlIdp
+
+    def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm)
+      self.reference_id = reference_id
+      self.issuer_uri = issuer_uri
+      self.principal = principal
+      self.audience_uri = audience_uri
+      self.saml_request_id = saml_request_id
+      self.saml_acs_url = saml_acs_url
+      self.raw_algorithm = raw_algorithm
+    end
+
+    def fresh
+      builder = Builder::XmlMarkup.new
+      builder.Assertion xmlns: Saml::XML::Namespaces::ASSERTION,
+        ID: reference_string,
+        IssueInstant: now_iso,
+        Version: "2.0" do |assertion|
+          assertion.Issuer issuer_uri
+          sign assertion
+          assertion.Subject do |subject|
+            subject.NameID name_id, Format: name_id_format[:name]
+            subject.SubjectConfirmation Method: Saml::XML::Namespaces::Methods::BEARER do |confirmation|
+              confirmation.SubjectConfirmationData "", InResponseTo: saml_request_id,
+                NotOnOrAfter: not_on_or_after_subject,
+                Recipient: saml_acs_url
+            end
+          end
+          assertion.Conditions NotBefore: not_before, NotOnOrAfter: not_on_or_after_condition do |conditions|
+            conditions.AudienceRestriction do |restriction|
+              restriction.Audience audience_uri
+            end
+          end
+          assertion.AttributeStatement do |attr_statement|
+            config.attributes.each do |friendly_name, attrs|
+              attrs = (attrs || {}).with_indifferent_access
+              attr_statement.Attribute Name: attrs[:name] || friendly_name,
+                NameFormat: attrs[:name_format] || Saml::XML::Namespaces::Formats::Attr::URI,
+                FriendlyName: friendly_name.to_s do |attr|
+                  values = get_values_for friendly_name, attrs[:getter]
+                  values.each do |val|
+                    attr.AttributeValue val.to_s
+                  end
+              end
+            end
+          end
+          assertion.AuthnStatement AuthnInstant: now_iso, SessionIndex: reference_string do |statement|
+            statement.AuthnContext do |context|
+              context.AuthnContextClassRef Saml::XML::Namespaces::AuthnContext::ClassRef::PASSWORD
+            end
+          end
+        end
+    end
+    alias_method :raw, :fresh
+    private :fresh
+
+    def get_values_for(friendly_name, getter)
+      result = nil
+      if getter.present?
+        if getter.respond_to?(:call)
+          result = getter.call(principal)
+        else
+          message = getter.to_s.underscore
+          result = principal.public_send(message) if principal.respond_to?(message)
+        end
+      elsif getter.nil?
+        message = friendly_name.to_s.underscore
+        result = principal.public_send(message) if principal.respond_to?(message)
+      end
+      Array(result)
+    end
+    private :get_values_for
+
+    def name_id
+      name_id_getter.call principal
+    end
+    private :name_id
+
+    def name_id_getter
+      getter = name_id_format[:getter]
+      if getter.respond_to? :call
+        getter
+      else
+        ->(principal) { principal.public_send getter.to_s }
+      end
+    end
+    private :name_id_getter
+
+    def name_id_format
+      @name_id_format ||= NameIdFormatter.new(config.name_id.formats).chosen
+    end
+    private :name_id_format
+
+    def reference_string
+      "_#{reference_id}"
+    end
+    private :reference_string
+
+    def now
+      @now ||= Time.now.utc
+    end
+    private :now
+
+    def now_iso
+      iso { now }
+    end
+    private :now_iso
+
+    def not_before
+      iso { now - 5 }
+    end
+    private :not_before
+
+    def not_on_or_after_condition
+      iso { now + 60 * 60 }
+    end
+    private :not_on_or_after_condition
+
+    def not_on_or_after_subject
+      iso { now + 3 * 60 }
+    end
+    private :not_on_or_after_subject
+
+    def iso
+      yield.iso8601
+    end
+    private :iso
+  end
+end